Skillset

Over the last two articles of this series, we have come a long way around kernel exploitation. We started with finding a buffer overflow in driver code to parsing of different structures to steal the token. In the final part of this series, we will combine the whole parts plus provide some finishing touches to complete the exploit.

In last part of this series, we have worked on copying the system token from system process to cmd process. The final section of the exploit, which is often ignored, is how to avoid crashing since we are dealing with ring 0 land here. Thus, we must find out that after exploit, where the execution should be redirected. One of the best available options is to route back to parent function as in the case of normal execution flow.

So now let’s now join all the pieces together

First, let’s obtain the handle of the driver that we have seen how to do it in part 1. Below is the code snippet for the same.

Next step will be to get the IOCTL for the stack overflow. This is also discussed in part 1.

Next step will be to look out for System process and replace the token of spawned cmd process. The system process will already be running under PID 4 and since we have to copy the token from System process to our cmd process. First, we have to spawn the cmd process. Below is the code using CreateProcess API to do so.

Where STARTUPINFO structure is below

and Process_Information structure is as below

Note: Please note in the code how the dwProcessId member is being referenced.

If we run only the above stub, we should get output like this below that a cmd process is spawned with PID 1628.

There is a reason why we are extracting PID from CMD? Any guesses. Yes, because while traversing the EPROCESS structures we will look to compare the PID of the spawned cmd process. This is explained in the function in the last article like this

CMD_process_enumerate:

Mov rdx, [rcx-8] // since UniqueProcessId is -8 from ActiveProcessLink.

Your email address will not be published. Required fields are marked *

Comment

Name *

Email *

Website

Save my name, email, and website in this browser for the next time I comment.

× =

About InfoSec

At Infosec, we believe knowledge is the most powerful tool in the fight against cybercrime. We provide the best certification and skills development training for IT and security professionals, as well as employee security awareness training and phishing simulations. Learn more at infosecinstitute.com.

Connect with us

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

Why Take This Training?

How will you fund your training?

What is your training budget?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam